An approach is provided for distributed policy management and enforcement. A policy manager determines one or more domains of an information system. The one or more domains are associated at least in part with respective subsets of one or more resources of the information system. The policy manager also determines one or more respective access policies local to the one or more domains. The one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof. At least one of the one or more respective access policies is configured to operate independently of other ones of the one or more respective schemas.
Legal claims defining the scope of protection, as filed with the USPTO.
1. A method comprising: facilitating, by a processor, a creation and/or a modification of at least one device user interface element, at least one device user interface functionality, or a combination thereof, of a user device based, at least in part, on information, data, and/or a signal resulting from: a local and/or remote determination of one or more domains of an information system, the one or more domains associated at least in part with respective subsets of one or more resources of the information system; and in response to an input at the user device by a user other than administrators of the information system, a local and/or remote generation of one or more respective access policies local to the one or more domains, the one or more respective access policies configured to enable a determination, at least in part, of access to the respective subsets, the one or more resources, or a combination thereof, wherein the one or more respective access policies are generated locally and independently from one or more other access policies applicable to the one or more domains, and the one or more respective access policies are configured to operate independently of the one or more other access policies, wherein the one or more respective access policies, the one or more domains, or a combination thereof represent at least in part successive layers of access control with respect to the respective subsets, the one or more resources, or a combination thereof, and wherein the one or more respective access policies are different from the one or more other access policies for accessing the subset, while implemented via a different mechanism.
2. A method of claim 1 , wherein one or more of boundaries are defined by the user, and the one or more respective access policies are applicable at a boundary of the one or more domains and the one or more other access policies are applicable at another boundary greater than the one or more domains.
3. A method of claim 1 , wherein the information, the data, and/or the signal further results from: a local and/or remote determination of one or more types of the one or more resources in the respective subsets, wherein the one or more respective access policies are based, at least in part, on the one or more types, and wherein the one or more domains are defined, in response to a user request, by specifying one or more criteria and then evaluating one or more candidate resources against the criteria for inclusion of the respective subsets of one or more resources of the information system into the one or more domains.
4. A method of claim 1 , wherein the information, the data, and/or the signal further results from: a local and/or remote determination of one or more schemas, one or more attributes, one or more rules, source code, binary code, one or more implementation libraries with respect to determining access to the respective subsets, the one or more resources, or a combination thereof; and a local and/or remote determination to associate the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof with the one or more respective access policies.
5. A method of claim 4 , wherein the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof are associated with the one or more respective access policies, the one or more domains, the respective subsets, the one or more resources, or a combination thereof as metadata.
6. A method of claim 1 , wherein the information, the data, and/or the signal further results from: a local and/or remote reception of a request by the user for access to at least one of the one or more resources; a local and/or remote determination of whether the at least one resource is associated with at least one of the one or more respective access policies; and a local and/or remote determination to grant the access based, at least in part, on the determination with respect to the at least one respective access policy.
7. A method of claim 6 , wherein the information, the data, and/or the signal further results from: a local and/or remote determination to retrieve one or more schemas, one or more attributes, one or more rules, source code, binary code, one or more implementation libraries, or a combination thereof associated with the at least one respective access policy, the at least one resource, or a combination thereof, wherein the one or more attributes include traffic and/or load on the network, traffic and/or load on a host server, or a combination thereof, wherein the determining to grant the access is further based, at least in part, on the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof.
8. A method of claim 7 , wherein the information, the data, and/or the signal further results from: a local and/or remote determination to initiate a generation, a compilation, or a combination thereof of the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof on the receiving of the request by the user.
9. A method of claim 7 , wherein the information, the data, and/or the signal further results from: a local and/or remote determination to store the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof in a cache, wherein one or more subsequent requests by the user for access to the at least one resource is based, at least in part, on the cache.
10. A method of claim 7 , wherein the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof are parsed from metadata associated with the at least one respective schema, the at least one resource, or a combination thereof, and wherein at least some of the schemas of the one or more attributes, the one or more rules, or a combination thereof, are normalized, and the one or more attributes, the one or more rules, or a combination thereof, are evaluated based on the at least some of the schemas.
11. A method comprising facilitating access to at least one interface, the interface allowing access to at least one service, the service configured to perform the method of: determining, by a processor, one or more domains of an information system, the one or more domains associated at least in part with respective subsets of one or more resources of the information system; and in response to an input at a user device by a user other than administrators of the information system, generating by the processor one or more respective access policies local to the one or more domains, the one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof, wherein the one or more respective access policies are generated locally and independently from one or more other access policies applicable to the one or more domains, and the one or more respective access policies are configured to operate independently of the one or more other access policies, wherein the one or more respective access policies, the one or more domains, or a combination thereof represent at least in part successive layers of access control with respect to the respective subsets, the one or more resources, or a combination thereof, and wherein the one or more respective access policies are different from the one or more other access policies for accessing the subset, while implemented via a different mechanism.
12. A method of claim 11 , wherein the service is further configured to: determine one or more schemas, one or more attributes, one or more rules, source code, binary code, one or more implementation libraries with respect to determining access to the respective subsets, the one or more resources, or a combination thereof; and determine to associate the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof with the one or more respective access policies, wherein one or more of the boundaries are defined by the user as surrounding at least one identical subset of the resources, and the one or more respective access policies are more restrictive than the one or more other access policies for accessing the subset, while implemented via a different mechanism.
13. A method of claim 11 , wherein the service is further configured to: receive a request for access to at least one of the one or more resources; determine whether the at least one resource is associated with at least one of the one or more respective access policies; and determine to grant the access based, at least in part, on the determination with respect to the at least one respective access policy.
14. A method comprising: determining, by a processor, one or more domains of an information system, the one or more domains associated at least in part with respective subsets of one or more resources of the information system; and in response to an input at a user device by a user other than administrators of the information system, generating by the processor one or more respective access policies local to the one or more domains, the one or more respective access policies configured to enable a determination at least in part of access to the respective subsets, the one or more resources, or a combination thereof, wherein the one or more respective access policies are generated locally and independently from one or more other access policies applicable to the one or more domains, and the one or more respective access policies are configured to operate independently of the one or more other access policies, wherein the one or more respective access policies, the one or more domains, or a combination thereof represent at least in part successive layers of access control with respect to the respective subsets, the one or more resources, or a combination thereof, and wherein the one or more respective access policies are different from the one or more other access policies for accessing the subset, while implemented via a different mechanism.
15. A method of claim 14 , further comprising: determining one or more schemas, one or more attributes, one or more rules, source code, binary code, one or more implementation libraries with respect to determining access to the respective subsets, the one or more resources, or a combination thereof; and determining to associate the one or more schemas, the one or more attributes, the one or more rules, the source code, the binary code, the one or more implementation libraries, or a combination thereof with the one or more respective access policies.
16. A method of claim 14 , further comprising: receiving a request for access to at least one of the one or more resources; determining whether the at least one resource is associated with at least one of the one or more respective access policies; and determining to grant the access based, at least in part, on the determination with respect to the at least one respective access policy.
17. A method of claim 6 , wherein the information, the data, and/or the signal further results from: an identification or generation of source code, binary code, and/or other implementation libraries to enable implementation of the access policies for controlling access to the respective subsets of one or more resources of the information system via a plurality of boundary points, on the receiving of the request by the user; and a coordination of the boundary points for the implementation of the access policies.
18. A method of claim 2 , further comprising: obtaining one or more resource attributes at each of the boundaries for making a resource access decision, wherein the one or more resource attributes include metadata of schemas, attributes, rules, source codes, binary codes, libraries, network operation information, or a combination thereof.
19. A method of claim 18 , further comprising: determining one or more replaceable tokens referenced upon at least the one or more resource attributes; and defining policy implementation code based, at least in part, on the one or more replaceable tokens.
20. A method of claim 19 , further comprising: defining one or more policy rules based on a unary operation, a descriptive language-defined binary string-equals operation, or a combination thereof; and associating the one or more policy rules as the one or more resource attributes.
Cooperative Patent Classification codes for this invention. Click any code to explore related patents in that topic.
October 29, 2010
November 18, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.